These environment variables affect the RUN TIME behavior of NSS shared libraries. There is a separate set of environment variables that affect how NSS is built, documented below.
Variable | Type | Description | Introduced in version |
---|---|---|---|
NSRANDCOUNT |
Integer (byte count) |
Sets the maximum number of bytes to read from the file named in the environment variable NSRANDFILE (see below). Makes NSRANDFILE usable with /dev/urandom. | 3.12.3 |
NSRANDFILE |
String (file name) |
Uses this file to seed the Pseudo Random Number Generator. | Before 3.0 |
NSS_ALLOW_WEAK_SIGNATURE_ALG |
Boolean (any non-empty value to enable) |
Enables the use of MD2 and MD4 inside signatures. This was allowed by default before NSS 3.12.3. | 3.12.3 |
NSS_DEBUG_PKCS11_MODULE |
String (module name) |
Name the PKCS#11 module to be traced. PKCS #11 Module Logger | 3.6 |
NSS_DEFAULT_DB_TYPE |
String ("dbm", "sql", or "extern") |
Determines the default Database type to open if the app does not specify. NSS_Shared_DB | 3.12 |
NSS_DISABLE_ARENA_FREE_LIST |
String (any non-empty value) |
Define this variable to get accurate leak allocation stacks when using leak reporting software. NSS_Memory_allocation | 3.4 |
NSS_DISABLE_UNLOAD |
String (any non-empty value) |
Disable unloading of dynamically loaded NSS shared libraries during shutdown. Necessary on some platforms to get correct function names when using leak reporting software. | 3.11.8 |
NSS_ENABLE_AUDIT |
Boolean (1 to enable) |
Enable auditing of activities of the NSS cryptographic module in FIPS mode. Audit Data | 3.11.2 |
NSS_ENABLE_PKIX_VERIFY |
Boolean (any non-empty value to enable) |
Use libPKIX, rather than the old cert library, to verify certificates. | 3.12 |
NSS_FIPS |
String ("fips","true","on","1") |
Will start NSS in FIPS mode. | 3.12.5 |
NSS_HASH_ALG_SUPPORT |
String | Specifies agorithms allowed to be used in certain applications, such as in signatures on certificates and CRLs. See documentation at this link. | 3.12.3 |
NSS_OUTPUT_FILE |
String (filename) |
Output file path name for the PKCS #11 Module Logger. Default is stdout. | 3.7 |
NSS_SDB_USE_CACHE |
String ("no","yes","auto") |
Controls whether NSS uses a local cache of SQL database contents. Default is "auto". See the source for more information. | 3.12 |
NSS_SSL_CBC_RANDOM_IV | String ("0", "1") | Controls the workaround for the BEAST attack on SSL 3.0 and TLS 1.0. "0" disables it, "1" enables it. It is also known as 1/n-1 record splitting. Default is "1". | |
NSS_SSL_ENABLE_RENEGOTIATION |
String ([0|n|N], [1|u|U], [2|r|R], [3|t|T]) |
(Definition for NSS 3.12.6 and above) Sets how TLS renegotiation is handled
Server and client are allowed to renegotiate without any restrictions.
Never allow renegotiation - That was the default for 3.12.5 release.
Disallows unsafe renegotiation in server sockets only, but allows clients to continue to renegotiate with vulnerable servers. This value should only be used during the transition period when few servers have been upgraded.
Only allows renegotiation if the peer's hello bears the TLS renegotiation_info extension. |
3.12.5 Modified in 3.12.6 |
NSS_SSL_REQUIRE_SAFE_NEGOTIATION |
Boolean (1 to enable) |
It controls whether safe renegotiation indication is required for initial handshake. In other words a connection will be dropped at initial handshake if a server or client do not support safe renegotiation. The default setting for this option is FALSE. | 3.12.5 |
NSS_SSL_SERVER_CACHE_MUTEX_TIMEOUT |
Integer (seconds) |
Timeout time to detect dead or hung process in multi-process SSL server. Default is 30 seconds. | 3.4 |
NSS_STRICT_NOFORK |
String ("1", "DISABLED", or any other non-empty value) |
It is an error to try to use a PKCS#11 crypto module in a process before it has been initialized in that process, even if the module was initialized in the parent process. Beginning in NSS 3.12.3, Softoken will detect this error. This environment variable controls Softoken's response to that error.
|
3.12.3 |
NSS_STRICT_SHUTDOWN |
String (any non-empty value) |
will trigger an assertion failure in debug builds when a program tries to shutdown NSS before freeing all the resources it acquired from NSS while NSS was initialized. | 3.5 |
NSS_TRACE_OCSP |
Boolean (any value to enable) |
Enables OCSP tracing. The trace information is written to the file pointed by NSPR_LOG_FILE (default stderr). See NSS tracing |
3.12 |
NSS_USE_DECODED_CKA_EC_POINT |
Boolean (any value to enable) |
Tells NSS to send EC key points across the PKCS#11 interface in the non-standard unencoded format that was used by default before NSS 3.12.3. | 3.12.3 |
NSS_USE_SHEXP_IN_CERT_NAME |
Boolean (any value to enable) |
Tells NSS to allow shell-style wildcard patterns in certificates to match SSL server host names. This behavior was the default before NSS 3.12.3. | 3.12.3 |
PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK |
String (any non-empty value) |
Debug variable for PKIX leak checking. Note: The code must be built with PKIX_OBJECT_LEAK_TEST defined to use this functionality. | 3.12 |
SOCKETTRACE |
Boolean (1 to enable) |
Controls tracing of socket activity by libPKIX. Messages sent and received will be timestamped and dumped (to stdout) in standard hex-dump format. | 3.12 |
SQLITE_FORCE_PROXY_LOCKING |
Boolean (1 to enable) |
1 means force always use proxy, 0 means never use proxy, NULL means use proxy for non-local files only. | 3.12.6 |
SSLBYPASS |
Boolean (1 to enable) |
Uses PKCS#11 bypass for performance improvement. Do not set this variable if FIPS is enabled. |
3.11 |
SSLDEBUG |
Integer | Debug level Note: The code must be built with DEBUG defined to use this functionality. |
Before 3.0 |
SSLDEBUGFILE |
String (file name) |
File where debug or trace information is written.
If not set, the debug or trace information is written to stderr. Note: SSLDEBUG or SSLTRACE have to be set to use this functionality. |
3.12 |
SSLFORCELOCKS |
Boolean (1 to enable) |
Forces NSS to use locks for protection. Overrides the effect of SSL_NO_LOCKS (see ssl.h). |
3.11 |
SSLKEYLOGFILE |
String (file name) |
Key log file. If set, NSS logs RSA pre-master secrets to this file. This allows packet sniffers to decrypt TLS connections. See documentation. | 3.12.6 |
SSLTRACE |
Integer | Tracing level Note: The code must be built with TRACE defined to use this functionality. |
Before 3.0 |
These environment variables affect the build (compilation) of NSS.
Variable | Type | Description | Introduced in version |
---|---|---|---|
BUILD_OPT |
Boolean (1 to enable) |
Do an optimized (not DEBUG) build. Default is to do a DEBUG build. | Before 3.0 |
MOZ_DEBUG_SYMBOLS |
Boolean (1 to enable) |
Needed on Windows to build with versions of MSVC (such as VC8 and VC9) that do not understand /PDB:NONE | 3.11 |
MOZ_DEBUG_FLAGS |
String | When MOZ_DEBUG_SYMBOLS is set, you may use MOZ_DEBUG_FLAGS to specify alternative compiler flags to produce symbolic debugging information in a particular format. |
3.12.8 |
NSDISTMODE |
String |
On operating systems other than Windows, this controls whether copies, absolute symlinks, or relative symlinks of the output files should be published to mozilla/dist. The possible values are:
On Windows, copies of files are always published. |
Before 3.0 |
NS_USE_GCC |
Boolean (1 to enable) |
On systems where GCC is not the default compiler, this tells NSS to build with gcc. | Before 3.0 |
NSS_ALLOW_SSLKEYLOGFILE | Boolean (1 to enable) |
Enable NSS support in optimized builds for logging SSL/TLS key material to a logfile if the SSLKEYLOGFILE environment variable. As of NSS 3.24 this is disabled by default. | 3.24 |
NSS_BUILD_CONTINUE_ON_ERROR |
Boolean (1 to enable) |
Continue building NSS source directories when a build error occurs. | 3.12.4 |
NSS_USE_SYSTEM_SQLITE |
Boolean (1 to enable) |
Use the system installed sqlite library instead of the in-tree version. | 3.12.6 |
NSS_DISABLE_ECC (deprecated) |
Boolean (1 to disable) |
Disable Elliptic Curve Cryptography features. As of NSS 3.16, ECC features are enabled by default. As of NSS 3.33 this variable has no effect. |
3.16 |
NSS_ENABLE_ECC (deprecated) |
Boolean (1 to enable) |
Enable building of code that uses Elliptic Curve Cryptography. Unused as of NSS 3.16; see NSS_DISABLE_ECC. | Before 3.16; since 3.11. |
NSS_FORCE_FIPS |
Boolean |
Allows enabling FIPS mode using NSS_FIPS |
3.24 |
OS_TARGET |
String (target OS) |
For cross-compilation environments only, when the target OS is not the default for the system on which the build is performed. Values understood: WIN95 |
Before 3.0 |
USE_64 |
Boolean (1 to enable) |
On platforms that has separate 32-bit and 64-bit ABIs, NSS builds for the 32-bit ABI by default. This tells NSS to build for the 64-bit ABI. | Before 3.0 |
USE_DEBUG_RTL |
Boolean (1 to enable) |
On Windows, MSVC has options to build with a normal Run Time Library or a debug Run Time Library. This tells NSS to build with the Debug Run Time Library. | Before 3.0 |
USE_PTHREADS |
Boolean (1 to enable) |
On platforms where POSIX threads are available, but are not the OS'es preferred threads library, this tells NSS and NSPR to build using pthreads. | Before 3.0 |
NSS_NO_PKCS11_BYPASS |
String (1 to enable) |
Disables at compile-time the NS ssl code to bypass the pkcs11 layer. When set the SSLBYPASS run-time variable won't take effect | Before 3.15 |